Vulnerability in HP BIOS causes system takeover

Vulnerability in HP BIOS causes system takeover
UEFI, BIOS, Vulnerabilities, vulnerability, CVE-2021-3808, CVE-2021-3809

Following recent fixes for a large number of UEFI vulnerabilities, worldwide-known PC and laptop vendor HP is releasing a new BIOS update. This time around, two serious vulnerabilities affecting a wide range of over 200 PC and laptop models that allow code to run with kernel privileges, including driver management and BIOS access, were the trigger.

Vulnerabilities in HP BIOS may lead crooks to takeover your PC

Analysts defined those vulnerabilities as CVE-2021-3808 and CVE-2021-3809, and gave a baseline CVSS score of 8.8. HP does not provide technical details at this time, only publishing the list of affected devices. Those are:

  • Zbook Studio
  • ZHAN Pro
  • EliteBook
  • ProBook
  • Elite Dragonfly
  • EliteDesk
  • ProDesk desktops
  • PoS Engage
  • Z1 and Z2 workstations
  • Thin client PCs [that run the same firmware version on the server]

The bugs were discovered back in November 2021 thanks to researcher Nicholas Starke, who explained in his blog that the vulnerability could allow an attacker running with kernel-level privileges (CPL == 0) to elevate privileges to system management mode (SMM). At the same time, SMM gives the attacker full privileges over the host for further attacks.

The problem is that it is possible to run the SMI handler from the OS environment, for example through a Windows kernel driver. Therefore, an attacker needs to find the memory address of the LocateProtocol function and overwrite it with malicious code. It can initiate code execution by instructing the SMI handler to do so.

Is that breach easy to exploit?

To exploit the vulnerability, an attacker should have root/SYSTEM-level privileges on the target system and execute code in System Management Mode (SMM). In addition, some models of HP computers have security features that an attacker needs to bypass in order for the exploit to work, such as HP Sure Start, which will shut down the host if the memory is corrupted. However, there are enough ways to get such privileges – from other exploits to tricking the user to install a trojan virus.

Driver updater PUP
Driver Updater app – the example of the program that may act as malware downloader

When the ultimate goal is achieved, the attacker, by overwriting the UEFI (BIOS), can achieve an outstanding persistency of malware on the machine. After such a trick, you can’t remove malware using antivirus tools or reinstalling the OS. So, that’s an obvious advice for all owners of HP hardware who do not want to become part of the ART operations that practice attacks through UEFI. Update the BIOS before cybercriminals update it without your participation.

Why are BIOS vulnerabilities so critical?

BIOS, as well as its modern replacement – UEFI, is the firmware of the lowest level. It runs on your hardware even before you launch the regular OS – Windows or Linux. Contrary to operating systems that interact with hardware using drivers, BIOS interacts directly. In the early ‘10s, Unified Extensible Firmware Interfacewas presented as a substitute for BIOS, which was considered obsolete to the moment.

Breach that allows the hackers to call the hardware on the kernel lever, i.e. circumventing the drivers, means that the one who exploits that breach may do literally anything. Turn off the computer, reboot it, delete the BIOS, substitute the latter with a malicious loader that will display the ransom banner over the screen – choose what you want. CVE Organisation, which tracks and documents all the detected vulnerabilities, still has not added the detailed description of CVE-2021-3808 and CVE-2021-3809. But I am pretty sure that they will increase the severity rating to 10/10 – that is a reall mess.

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

View all of Stephanie Adlam's posts.

Leave a comment

Your email address will not be published.